Curbing SIM swap fraud requires joint effort
Global research shows Africa and Asia are embracing mobile payments more than any other regions in the world.
"Your phone is no longer just a phone, it is your wallet. This situation may be convenient for you and me but it is also one that is extremely attractive to cyber criminals."
This was the word from Fabio Assolini, senior security researcher for the global research and analysis team at Kaspersky Lab. He was speaking during Kaspersky's Cyber Security Weekend being held at the Table Bay Hotel in Cape Town this week.
According to Assolini, sinister characters use duplicate SIM cards to impersonate their victims and bypass banking security protocols in the process. Consider, for example, the one-time PIN (OTP) code you are sent to authorise transactions, or to reset account details.
Many financial and online services send these PINs via SMS and when a criminal does a SIM swap they are able to intercept these text messages. In addition, some SIM swap fraudsters will download WhatsApp using the duplicate SIM card and then reach out to the victim's contacts asking for money.
Today, we are seeing regular criminals collaborating with cyber criminals and sometimes it is the employees of the big telcos that give hackers the information they need to execute SIM swaps, Assolini noted.
Some of the top SIM swap fraudsters even advertise their services online, selling personal information for as little as $10.
Statistics released by the South African Banking Risk Information Centre last year revealed the number of SIM swap fraud incidents in SA rose from 4 040 between January and August 2017, to 8 254 incidents from January to August 2018.
What's the solution?
One country getting things right is South Africa's northern neighbour - Mozambique, Assolini explained. "They had big, big problems with SIM swap fraud. So banks and carriers got together to do something about the issue."
Their solution saw banks and carriers collaborating in real-time. When a transaction is made, banks will check with the carrier if the corresponding phone number has been SIM-swapped in the last 48 hours. Depending on the carrier's response, the bank will either halt the transaction and seek more information, or approve the transfer.
In one month, SIM swap fraud dropped by 60%. In six months, they had curbed SIM swaps altogether, he said, admitting that implementing a similar authentication process in bigger countries with larger telecoms ecosystems would be much more complex.
For Assolini, curbing SIM swaps relies on carriers to strengthen their authentication processes and on banks to stop sending OTPs via SMS as these are not safe. He added that regular users can keep themselves secure by always being aware of their device's connectivity. If you can't make or receive phone calls all of a sudden, be sure to contact your network provider to check that you haven't become a SIM swap victim, he said.
He also stressed the importance of activating two-factor authentication on everything, especially WhatsApp, which has become a hot target for cyber criminals.
The risks are there, he concluded, it's up to carriers to keep users safe but it is also up to us to know how to protect ourselves.